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WHAT IS CLAIMED IS: 

1 . A computer-implemented method for generating access control 
information, the method comprising: 

receiving an access control rule that identifies a characteristic; 

identifying at least one entry in user information that is associated with the 
identified characteristic; 

identifying at least one entry in data object information that is associated with the 
identified characteristic; and 

generating access control information that permits at least one user associated 
with the at least one entry in the user information to access the at least one entry in the 
data object information. 

2. The method of claim 1 wherein: 

the identified characteristic is indirectly associated with the at least one entry in 
the user information, and 

identifying at least one entry in user information that is associated with the 
identified characteristic comprises identifying at least one entry in user information that is 
indirectly associated with the identified characteristic . 

3. The method of claim 1 wherein: 

the identified characteristic is directly associated with the at least one entry in the 
user information, and 

identifying at least one entry in user information that is associated with the 
identified characteristic comprises identifying at least one entry in user information that is 
directly associated with the identified characteristic. 

4. The method of claim 1 wherein generating access control information 
comprises: 

generating user access control information that identifies the at least one entry in 
the user information that is associated with the identified characteristic, 
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5 generating object access control information that identifies the at least one entry 

6 in the data object information that is associated with the identified characteristic, and 

7 associating at least one entry in the user access control information with at least 

8 one entry in the data object access control information. 

1 5. The method of claim 4 further comprising storing the association of the at 

2 least one entry in the user access control information with the at least one entry in the 

3 data object access control information. 

1 6. The method of claim 4 further comprising: 

2 storing the data object access control information, and 

3 storing the user access control information. 

1 7. The method of claim 4 further comprising determining whether a 

2 particular user associated with the at least one entry in the user access control information 

3 is permitted access to a particular data object that is associated with the at least one entry 

4 in the data object access control information wherein the determination is based on the 

5 association of the at least one entry in the user access control information with the at least 

6 one entry in the data object access control information. 

1 8. The method of claim 1 further comprising receiving a filter condition, 



2 wherein generating access control information further comprises generating access 

3 control information by eliminating at least one entry in the user information that 

4 corresponds to the received filter condition such that access control information does not 

5 include the eliminated at least one entry in the user information. 

1 9. The method of claim 1 further comprising receiving a filter condition, 

2 wherein generating access control information further comprises generating access 

3 control information by eliminating at least one entry in the data object information that 

4 corresponds to the received filter condition such that access control information does not 

5 include the eliminated at least one entry in the data object information. 
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1 1 0. A computer system for managing access control information for software 

2 operating on the computer system, the system comprising: 

3 a data repository for access control information for software, the data repository 

4 including user information identifying a user characteristic for at least one entry in the 

5 user information, data object information identifying a data object characteristic for at 

6 least one entry in the data object information, and access control rule information 

7 identifying a shared characteristic for at least one entry in the access control rule 

8 information; and 

9 an executable software module that causes (1) a comparison of the user 

10 characteristic, the business object characteristic, and the shared characteristic and (2) 

1 1 generation of access control information for use in determining whether a user that is 

12 associated with an entry in the user information is permitted to access a data object that is 

1 3 associated with an entry in the data object information such that when the user 

14 characteristic, the data object characteristic and the shared characteristic each correspond 

15 to one another, the user is permitted to access the data object. 

1 11. The computer system of claim 1 0 fiirther comprising a second executable 

2 software module that causes a determination whether a user associated with an entry in 

3 the user information is permitted to access a data object associated with an entry in the 

4 data object information such that the determination is based on the generated access 

5 control information. 



1 12. The computer system of claim 1 1 wherein the second executable software 

2 module is the same executable software module as the first executable software module. 

1 13. The computer system of claim 1 0 wherein the executable software module 

2 causes the generation of access control information that indicates that the user is 

3 permitted to access a business object when (1) the user characteristic corresponds to the 

4 shared characteristic and the (2) the data object characteristic corresponds to the shared 

5 characteristic. 
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1 1 4. The computer system of claim 1 0 wherein the executable software module 

2 causes an association between at least one entry in the user information and at least one 

3 entry in the access control information when the user characteristic corresponds to the 

4 shared characteristic. 

1 15. The computer system of claim 14 wherein the executable software module 

2 causes an association between at least one entry in the data object information and at least 

3 one entry in the access control information when the data object characteristic 

4 corresponds to the shared characteristic. 

1 1 6. The computer system of claim 1 5 wherein the executable software module 

2 causes a determination whether the user is permitted access to the data object based on 

3 the association of the user information to the shared characteristic and the association 

4 between the data object information and the shared characteristic. 

1 17. The computer system of claim 1 0 wherein: 

2 the data repository includes: 

3 user group information that associates a user group with at least 

4 one entry in the user information, and 

5 access control rule information that identifies action that a user 

6 who is associated with group of users is permitted to perform on a data 

7 object, and 

8 the executable software module causes a determination to be made, based on an 

9 association of the at least one entry in the user information with the user group, as to 

10 whether the user associated with the at least one entry in the user information is permitted 

1 1 to perform a particular action on a particular data object. 

1 1 8. A computer-readable medium or propagated signal having embodied 

2 thereon a computer program configured to generate access control information, the 

3 medium or signal comprising one or more code segments configured to: 
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5 identify at least one entry in user information that is associated with the identified 

6 characteristic; 

7 identify at least one entry in data object information that is associated with the 

8 identified characteristic; and 

9 generate access control information that permits a user associated with the at least 

10 one entry in the user information to access the at least one entry in the data object 

1 1 information. 

1 1 9. The medium or signal of claim 1 8 wherein the one or more code segments 

2 configured to generate access control information comprise one or more code segments 

3 configured to: 

4 generate user access control information that identifies the at least one entry in the 

5 user information that is associated with the identified characteristic, 

6 generate object access control information that identifies the at least one entry in 

7 the data object information that is associated with the identified characteristic, and 

8 associate at least one entry in the user access control information with at least one 

9 entry in the data object access control information. 

1 20. The medium or signal of claim 1 9 wherein the one or more code segments 

2 are further configured to determine whether a particular user associated with the at least 

3 one entry in the user access control information is permitted access to a particular data 



4 object that is associated with the at least one entry in the data object access control 

5 information wherein the determination is based on the association of the at least one entry 

6 in the user access control information with the at least one entry in the data object access 

7 control information. 

1 21. The medium or signal of claim 1 8 wherein the one or more code segments 

2 are further configured to: 

3 receive a filter condition, and 
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4 generate access control information by eliminating at least one entry in the user 

5 information that corresponds to the received filter condition such that access control 

6 information does not include the eliminated at least one entry in the user information. 

1 22. The medium or signal of claim 18 wherein the one or more code segments 

2 are further configured to: 

3 receive a filter condition, and 

4 generate access control information further comprises generating access control 

5 information by eliminating at least one entry in the data object information that 

6 corresponds to the received filter condition such that access control information does not 

7 include the eliminated at least one entry in the data object information. 
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